For Xenial, also take into account the changes done between 1.10.0 and
1.10.3. Note the CVE issue is already fixed in the Security repository,
but other bugfixes should probably be included.
Changes with nginx 1.10.3 31 Jan 2017
*) Bugfix: in the "add_after_body" directive when used with the
"sub_filter" directive.
*) Bugfix: unix domain listen sockets might not be inherited during
binary upgrade on Linux.
*) Bugfix: graceful shutdown of old worker processes might require
infinite time when using HTTP/2.
*) Bugfix: when using HTTP/2 and the "limit_req" or "auth_request"
directives client request body might be corrupted; the bug had
appeared in 1.10.2.
*) Bugfix: a segmentation fault might occur in a worker process when
using HTTP/2; the bug had appeared in 1.10.2.
*) Bugfix: an incorrect response might be returned when using the
"sendfile" directive on FreeBSD and macOS; the bug had appeared in
1.7.8.
*) Bugfix: a truncated response might be stored in cache when using the
"aio_write" directive.
*) Bugfix: a socket leak might occur when using the "aio_write"
directive.
Changes with nginx 1.10.2 18 Oct 2016
*) Change: the "421 Misdirected Request" response now used when
rejecting requests to a virtual server different from one negotiated
during an SSL handshake; this improves interoperability with some
HTTP/2 clients when using client certificates.
*) Change: HTTP/2 clients can now start sending request body
immediately; the "http2_body_preread_size" directive controls size of
the buffer used before nginx will start reading client request body.
*) Bugfix: a segmentation fault might occur in a worker process when
using HTTP/2 and the "proxy_request_buffering" directive.
*) Bugfix: the "Content-Length" request header line was always added to
requests passed to backends, including requests without body, when
using HTTP/2.
*) Bugfix: "http request count is zero" alerts might appear in logs when
using HTTP/2.
*) Bugfix: unnecessary buffering might occur when using the "sub_filter"
directive; the issue had appeared in 1.9.4.
*) Bugfix: socket leak when using HTTP/2.
*) Bugfix: an incorrect response might be returned when using the "aio
threads" and "sendfile" directives; the bug had appeared in 1.9.13.
*) Workaround: OpenSSL 1.1.0 compatibility.
Changes with nginx 1.10.1 31 May 2016
*) Security: a segmentation fault might occur in a worker process while
writing a specially crafted request body to a temporary file
(CVE-2016-4450); the bug had appeared in 1.3.9.
** Description changed:
- There are a lot of bugfixes in 1.10.3, including HTTP/2 fixes, that
+ [Impact]
+
+ Two releases are affected: Xenial and Yakkety.
+
+ There are a bunch of bugfixes in 1.10.3, including HTTP/2 fixes, that
should be included in Ubuntu. This is detailed here in the upstream
- changelog:
+ changelog from nginx:
Changes with nginx 1.10.3 (31 Jan 2017)
*) Bugfix: in the "add_after_body" directive when used with the
"sub_filter" directive.
*) Bugfix: unix domain listen sockets might not be inherited during
binary upgrade on Linux.
*) Bugfix: graceful shutdown of old worker processes might require
infinite time when using HTTP/2.
*) Bugfix: when using HTTP/2 and the "limit_req" or "auth_request"
directives client request body might be corrupted; the bug had
appeared in 1.10.2.
*) Bugfix: a segmentation fault might occur in a worker process when
using HTTP/2; the bug had appeared in 1.10.2.
*) Bugfix: an incorrect response might be returned when using the
"sendfile" directive on FreeBSD and macOS; the bug had appeared in
1.7.8.
*) Bugfix: a truncated response might be stored in cache when using the
"aio_write" directive.
*) Bugfix: a socket leak might occur when using the "aio_write"
directive.
+
+ [Test Case]
+
+ No test cases available as there are no bugs filed for any of these in
+ Ubuntu. However, due to HTTP/2, any 'bugs' in these which may corrupt
+ data or not kill worker processes correctly, or segfault, should be
+ addressed.
+
+ [Regression Potential]
+
+ All these bugfixes were tested upstream by the nginx team, and do not
+ pose a regression risk to the existing software versions or features of
+ Ubuntu in affected releases.
+
+ [Other Info]
+
+ I will be uploading nginx 1.10.3 directly to Zesty today, and then have
+ a merge ready by the end of the week for Zesty from Debian, which pulls
+ in dynamic module support, etc. This SRU is written here ahead of
+ having the Zesty update done, because this happens to be on my list of
+ things to get done before the Zesty update.
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-4450
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1663937
Title:
[SRU] Please update nginx in Xenial and Yakkety to 1.10.3
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nginx/+bug/1663937/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
